Shulou(Shulou.com)06/01 Report--

What this article shares to you is about how to analyze the Neutron default security group rules. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Neutron provides two ways for instance to manage network security:

Security groups (Security Group) and virtual firewalls.

The principle of the security group is to filter the network traffic of the computing node where the instance is located through iptables.

Virtual firewalls are provided by Neutron Firewall as a Service (FWaaS) advanced services.

The underlying layer also uses iptables to filter network packets on Neutron Router.

We will discuss both of these security schemes. This chapter first focuses on the security group.

Default security group

Each Project has a default security group named "default".

Click the menu Project-> Compute-> Access & Security to view the Security Group list.

Click the button to view the rules of the "default" security group.

The "default" security group has four rules, which serve the following purposes:

All outgoing (Egress) traffic is allowed, but all incoming (Ingress) traffic is prohibited.

When we create an instance, we can select a security group in the "Access & Security" tab.

If there is currently only one security group called "default", "default" is enforced.

There is currently an instance "cirros-vm1" on devstack-controller.

Execute the iptables-save command on devstack-controller to view the rules.

There are many rules for iptables. Here we select the rules related to cirros-vm1.

These rules are automatically generated by Neutron based on security groups.

The TAP interface of cirros-vm1 is tap8bca5b86-23. You can see:

1. The rules of iptables are applied to Neutron port, where port is the virtual network card tap8bca5b86-23 of cirros-vm1.

2. The ingress rule set is defined in the chain named "neutron-linuxbri-i8bca5b86-2".

3. The egress rule set is defined in the chain named "neutron-linuxbri-o8bca5b86-2".

Let's do ping and ssh tests on cirros-vm1 through dhcp namespace.

Unable to ping and ssh cirros-vm1, it can be seen that the current rule implements the "default" security group, and all ingress traffic is prohibited.

The above is how to analyze the Neutron default security group rules, and the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.